2:36 a.m.
On la, 19 helmi 2022, sharmaji a via FreeIPA-users wrote:
Hi FreeIPA team,
Can we export users, host list and HBAC rule from existing FreeIPA and
import them on Freshly installed IPA? FreeIPA ver 4.X
FQDN and IP address will be same.
There is no easy way of achieving this. 'ipa migrate-ds' could be used
to migrate data from one IPA deployment to another but it has no
understanding of IPA-specific objects. Private groups will turn into
normal one, SIDs will definitely be different and so on. This may cause
some issues for imported users and groups.
Post import on new system, is it possible?
1. User should be able to use their existing password.
No. Kerberos keys from important LDAP entries will be unreadable because
they encrypted using a different master key in each deployment and thus
cannot be transferred as it i s.
2. Existing host, should still be connect with new IPA system after
Membership rebuild.
No. As I said, Kerberos keys will not be the same, so all hosts would
need to be re-enrolled.
3. HBAC rule should work as it is.
This might be achieved but you need to export the rules manually and
import them manually as well.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland